RFR: JDK-8237490: [macos] Add support notarizing jpackage app-image and dmg
Andy Herrick
andy.herrick at oracle.com
Sat Apr 4 12:53:22 UTC 2020
I think it best to modify these checks as part of a separate issue, and
leave these checks disabled as part of JDK-8237490. I have filed
JDK-8242155 to enhance these tests, including restoring these checks.
/ANdy
On 4/3/2020 7:29 PM, Alexander Matveev wrote:
> Hi Andy,
>
> http://cr.openjdk.java.net/~herrick/8237490/webrev.07/test/jdk/tools/jpackage/macosx/base/SigningBase.java.frames.html
>
> Maybe better to check for Catalina case as well, instead of disabling
> check. We can assume that on Catalina code 3 and not notarized will
> consider as pass. In case if it fails for some other reasons.
>
> Otherwise looks fine.
>
> Thanks,
> Alexander
>
> On 4/3/20 7:20 AM, Andy Herrick wrote:
>> sorry missing webrev pointer [4]
>>
>> [4] - http://cr.openjdk.java.net/~herrick/8237490/webrev.07
>>
>> /Andy
>>
>> On 4/3/2020 9:24 AM, Andy Herrick wrote:
>>> please review this revised webrev [4] to issue [2]
>>>
>>> The previous version generated a signed app that could be notarized,
>>> but then couldn't run because signing the whole app resigned the
>>> executable with reduced entitlements.
>>>
>>> This revision adds back in the entitlements when signing the whole
>>> app, as well as fixing the unit test that was failing the spctl call
>>> on Catalina due to signed app not being notarized.
>>>
>>>
>>> /Andy
>>>
>>> On 3/30/2020 1:19 PM, Andy Herrick wrote:
>>>> revised with minor fixes as per below - webrev at [3]
>>>>
>>>> [3] http://cr.openjdk.java.net/~herrick/8237490/webrev.06/
>>>>
>>>> /Andy
>>>>
>>>> On 3/28/2020 9:43 AM, Andy Herrick wrote:
>>>>>
>>>>> On 3/27/2020 5:18 PM, Alexander Matveev wrote:
>>>>>> Hi Andy,
>>>>>>
>>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java.frames.html
>>>>>>
>>>>>> Line 819,857,902 - Looks like temp debug log message. Remove it
>>>>>> or align with rest of code.
>>>>> I will fix this.
>>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties.frames.html
>>>>>>
>>>>>> Line 70 - Capital F.
>>>>> and this
>>>>>>
>>>>>> Since we added "--timestamp" and "--options runtime" to
>>>>>> codesign, will it work with older Xcode and macOS we planning to
>>>>>> support?
>>>>> not sure - may need some discussion of what we support and
>>>>> possible conditional code here.
>>>>>>
>>>>>> Do we need any adjustments to signing tests we have?
>>>>>
>>>>> The existing tests pass, but this is not unexpected (and really
>>>>> means nothing) since the signing tests are all skipped unless
>>>>> specific test certs are installed on target machine.
>>>>>
>>>>> We need further discussion how one is expected to provision a
>>>>> machine to run these tests.
>>>>>
>>>>> /Andy
>>>>>
>>>>>>
>>>>>> Otherwise looks fine.
>>>>>>
>>>>>> Thanks,
>>>>>> Alexander
>>>>>>
>>>>>> On 3/27/20 12:35 PM, Andy Herrick wrote:
>>>>>>> Please review the fix to issue [1] at [2].
>>>>>>>
>>>>>>> This change enables notarization on Mac for dmg images and
>>>>>>> app-image zip files.
>>>>>>>
>>>>>>> /Andy
>>>>>>>
>>>>>>> [1]: https://bugs.openjdk.java.net/browse/JDK-8237490
>>>>>>>
>>>>>>> [2]: http://cr.openjdk.java.net/~herrick/8237490
>>>>>>>
>>>>>>
>
More information about the core-libs-dev
mailing list